Docker Community Forums

Share and learn in the Docker community.

Docker DNS not responding from inside a container

I have Docker Desktop installed on a Windows 10 Enterprise machine (build 20H2) connected to a domain. It is a VM running on VMware, but passthrough virtualization is enabled.

From inside any container that I run, the Docker Engine’s DNS server is not responding. Take the following commands:

PS C:\docker\> docker run -it --rm --name nanoms mcr.microsoft.com/windows/servercore:20H2 powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\> nslookup nanoms
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  172.20.80.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Any ideas what could be causing this? Is there a place I can look for the Docker DNS settings or logs?

Edit (2021-02-04):
After further investigation, I can consistently replicate this issue with a brand new Windows 10 machine (the host) by connecting that host to a force-tunnel VPN. It is then immediately resolved if I disconnect from the VPN on the host (I don’t even have to restart/recreate the container).

After a lot of research and troubleshooting, we were able to resolve this issue. It is caused by a group policy setting which prevents Docker from setting up Windows firewall rules necessary to pass the DNS requests around. I found the root cause buried in the comments of an issue raised for Docker Desktop’s open source repo.

Resolution

  1. Update the Apply local firewall rules group policy setting to Yes for the computer running Docker (your host machine)
  2. Restart your host or execute gpupdate /force to apply the changes

Further info and troubleshooting (aka “Is this what’s causing my issue?”)

To identify whether this is what’s causing your issue, you can do a few relatively simple checks.

1. Are DNS requests failing inside containers?

  1. Open PowerShell as administrator
  2. Execute docker run -it --rm --name miniwin mcr.microsoft.com/windows/servercore:20H2 powershell
    • Note: if your host machine is not compatible with the 20H2 version, you can also use one of Microsoft’s other tags (ltsc2019 is a good backup option)
    • When the command completes, you will be at a PowerShell prompt inside the servercore container you just ran
  3. Execute nslookup miniwin - This is the friendly name we gave the container and will be used to create a DNS lookup to Docker’s embedded DNS server

If you receive a response (even a non-authoritative response), DNS is working as expected and this is not your issue.

If you receive a timeout response, then DNS requests are not working and this may be your issue.

2. Is the “Apply local firewall rules” group policy setting set to “No” on my computer?

  1. Open a CMD or PowerShell window as administrator
  2. Execute gpresult /h c:\temp\gp.html - this will create an HTML file that shows the contents of your computer’s applied group policy
  3. Open the file you just created (c:\temp\gp.html) in a web browser
  4. Click the show all link at the top of the page
  5. Search the page for “Apply local firewall rules”
  6. You should see three entries, one each for Domain Profile Settings, Private Profile Settings, and Public Profile Settings. Check the value for each one. If it is No for the network profile you’re currently using, this may be the root cause of your DNS issue.

3. Extra credit - review Windows Firewall logs

If you want to be extra sure, you can enable Windows Firewall logging, issue another nslookup command from inside your container, and watch for DROP UDP DNS entries on port 53.

  1. Open the Advanced Firewall Management snap-in (WF.msc)
  2. Open the Action menu and click Properties
  3. On the Domain Profile tab, click Customize under the Logging section
    • Note: you should do this for whichever network profile your current network connection is using, or do it for all three if you’re not sure
  4. Turn on logging for dropped packets
  5. Turn on logging for successful connections
    • This should begin logging future firewall traffic to %systemroot%\system32\LogFiles\Firewall\pfirewall.log by default, but you can change this setting in this properties window if you want
  6. Return to your PowerShell prompt executing within the container
  7. Execute nslookup miniwin again
  8. Open the log file (%systemroot%\system32\LogFiles\Firewall\pfirewall.log by default) and look for your requests. They will be using the UDP protocol and be on port 53. They will include the IP address of your container as well as the IP address of the DNS server referenced in your container. (You can find both of these by running ipconfig /all from inside your container.)